random

- collection of un-sorted bollocks
git clone git://git.acid.vegas/random.git
Log | Files | Refs | Archive

riseup.sh (6518B)

      1 #!/bin/bash
      2 # riseup vpn helper - developed by acidvegas (https://git.acid.vegas/random)
      3 DEFAULT_PORT=0
      4 DEFAULT_PROTOCOL=0
      5 DISABLE_IPV6=1
      6 ENABLE_KILLSWITCH=0
      7 
      8 function disable_ipv6 {
      9 	if [ ! -f /etc/sysctl.d/99-vpn-disable-ipv6.conf ]; then
     10 		echo "net.ipv6.conf.all.disable_ipv6=1" > /etc/sysctl.d/99-vpn-disable-ipv6.conf
     11 		echo "net.ipv6.conf.default.disable_ipv6=1" >> /etc/sysctl.d/99-vpn-disable-ipv6.conf
     12 		echo "net.ipv6.conf.lo.disable_ipv6=1" >> /etc/sysctl.d/99-vpn-disable-ipv6.conf
     13 		sysctl -w net.ipv6.conf.all.disable_ipv6=1
     14 		sysctl -w net.ipv6.conf.default.disable_ipv6=1
     15 		sysctl -w net.ipv6.conf.lo.disable_ipv6=1
     16 	fi
     17 }
     18 
     19 function generate_config {
     20 	if [ $DEFAULT_PORT == 0 ]; then
     21 		CHOICE=$(dialog --clear --backtitle "RiseUp VPN Helper" --title "Connection" --menu "Select a connection port:" 20 60 20 1 "1194 (Recommended)" 2 "80" 3 "443" 2>&1 >/dev/tty)
     22 		clear
     23 	else
     24 		CHOICE=$DEFAULT_PORT
     25 	fi
     26 	case $CHOICE in
     27 		1) PROTO="1194";;
     28 		2) PROTO="80";;
     29 		3) PROTO="443";;
     30 	esac
     31 	if [ $DEFAULT_PROTOCOL == 0 ]; then
     32 		CHOICE=$(dialog --clear --backtitle "RiseUp VPN Helper" --title "Connection" --menu "Select a connection protocol:" 20 60 20 1 "UDP (Recommended)" 2 "TCP" 2>&1 >/dev/tty)
     33 		clear
     34 	else
     35 		CHOICE=$DEFAULT_PROTOCOL
     36 	fi
     37 	case $CHOICE in
     38 		1) PROTO="udp";;
     39 		2) PROTO="tcp";;
     40 	esac
     41 	echo "auth SHA256
     42 auth-user-pass auth
     43 ca ca.pem
     44 cipher AES-256-CBC
     45 client
     46 comp-lzo
     47 dev tun0
     48 down /etc/openvpn/scripts/update-systemd-resolved
     49 down-pre
     50 group vpn
     51 iproute /usr/local/sbin/unpriv-ip
     52 mute 3
     53 nobind
     54 persist-key
     55 persist-tun
     56 proto $PROTO
     57 remote vpn.riseup.net $PORT
     58 remote-cert-tls server
     59 reneg-sec 0
     60 resolv-retry infinite
     61 script-security 2
     62 setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
     63 tls-client
     64 tls-version-min 1.2
     65 up /etc/openvpn/scripts/update-systemd-resolved
     66 user vpn
     67 verb 4" > /etc/openvpn/client/riseup/riseup.conf
     68 }
     69 
     70 function killswitch {
     71 	if [ -f /etc/iptables/vpn-rules.v4 ]; then
     72 		iptables-restore < /etc/iptables/vpn-rules.v4
     73 	else
     74 		iptables -F
     75 		iptables -X
     76 		iptables -Z
     77 		iptables -t filter -F
     78 		iptables -t filter -X
     79 		iptables -t mangle -F
     80 		iptables -t mangle -X
     81 		iptables -t nat -F
     82 		iptables -t nat -X
     83 		iptables -t raw -F
     84 		iptables -t raw -X
     85 		iptables -t security -F
     86 		iptables -t security -X
     87 		iptables -P OUTPUT  DROP
     88 		iptables -P INPUT   DROP
     89 		iptables -P FORWARD DROP
     90 		iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     91 		iptables -A INPUT -i lo -j ACCEPT
     92 		iptables -A INPUT -i tun+ -j ACCEPT
     93 		iptables -A OUTPUT -o lo -j ACCEPT
     94 		iptables -A OUTPUT -d 172.27.0.1 -j ACCEPT
     95 		iptables -A OUTPUT -p -m --dport -j ACCEPT
     96 		iptables -A OUTPUT -o tun+ -j ACCEPT
     97 		iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
     98 		iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT
     99 		iptables -A OUTPUT -j REJECT --reject-with icmp-net-unreachable
    100 		iptables-save > /etc/iptables/vpn-rules.v4
    101 	fi
    102 	if [ $DISABLE_IPV6 -eq 1 ]; then
    103 		if [ -f /etc/iptables/vpn-rules.v6 ]; then
    104 			ip6tables-restore < /etc/iptables/vpn-rules.v6
    105 		else
    106 			ip6tables -F
    107 			ip6tables -X
    108 			ip6tables -Z
    109 			ip6tables -t filter -F
    110 			ip6tables -t filter -X
    111 			ip6tables -t mangle -F
    112 			ip6tables -t mangle -X
    113 			ip6tables -t nat -F
    114 			ip6tables -t nat -X
    115 			ip6tables -t raw -F
    116 			ip6tables -t raw -X
    117 			ip6tables -t security -F
    118 			ip6tables -t security -X
    119 			ip6tables -P OUTPUT  DROP
    120 			ip6tables -P INPUT   DROP
    121 			ip6tables -P FORWARD DROP
    122 			ip6tables-save > /etc/iptables/vpn-rules.v6
    123 		fi
    124 	fi
    125 
    126 }
    127 
    128 function menu_auth {
    129 	USERNAME=$(dialog --backtitle "RiseUp VPN Helper" --title "Login" --inputbox "Username:" 8 50 2>&1 >/dev/tty)
    130 	PASSWORD=$(dialog --backtitle "RiseUp VPN Helper" --title "Login" --clear --passwordbox "Password" 8 50 2>&1 >/dev/tty)
    131 	clear
    132 	echo -e "$USERNAME\n$PASSWORD" > /etc/openvpn/client/riseup/auth
    133 	chmod 600 /etc/openvpn/client/riseup/auth
    134 	chown root:root /etc/openvpn/client/riseup/auth
    135 }
    136 
    137 function secure_dns {
    138 	if [ ! -f /etc/openvpn/scripts/update-systemd-resolved ]; then
    139 		mkdir -p /etc/openvpn/scripts
    140 		wget -O /etc/openvpn/scripts/update-systemd-resolved https://raw.githubusercontent.com/jonathanio/update-systemd-resolved/master/update-systemd-resolved
    141 		chmod 750 /etc/openvpn/scripts/update-systemd-resolved
    142 	fi
    143 	if [ -f /etc/nsswitch.conf ]; then
    144 		if ! grep -q "hosts: files resolve myhostname" /etc/nsswitch.conf; then
    145 			sed 's/hosts:.*/hosts: files resolve myhostname/' /etc/nsswitch.conf > /etc/nsswitch.conf
    146 		fi
    147 	else
    148 		echo "[!] - Failed to locate /etc/nsswitch.conf file!"
    149 		exit 1
    150 	fi
    151 	if ! $(/usr/bin/systemctl -q is-active systemd-resolved.service); then
    152 		systemctl start systemd-resolved
    153 	fi
    154 	if ! $(/usr/bin/systemctl -q is-enabled systemd-resolved.service); then
    155 		systemctl enable systemd-resolved
    156 	fi
    157 }
    158 
    159 function setup {
    160 	pacman -S dialog openvpn screen sudo
    161 	mkdir -p /var/lib/openvpn
    162 	if ! id vpn >/dev/null 2>&1; then
    163 		useradd -r -d /var/lib/openvpn -s /usr/bin/nologin vpn
    164 	fi
    165 	if [ ! $(getent group vpn) ]; then
    166 		groupadd vpn
    167 	fi
    168 	if ! getent group vpn | grep &>/dev/null "\bvpn\b"; then
    169 		gpasswd -a vpn vpn
    170 	fi
    171 	chown vpn:vpn /var/lib/openvpn
    172 	if [ -f /etc/sudoers ]; then
    173 		if ! grep -q "vpn ALL=(ALL) NOPASSWD: /sbin/ip" /etc/sudoers; then
    174 			echo -e "\nvpn ALL=(ALL) NOPASSWD: /sbin/ip" >> /etc/sudoers
    175 		fi
    176 		if ! grep -q "Defaults:vpn !requiretty" /etc/sudoers; then
    177 			echo -e "\nDefaults:vpn !requiretty" >> /etc/sudoers
    178 		fi
    179 	else
    180 		echo "[!] - Failed to locate /etc/sudoers file!"
    181 		exit 1
    182 	fi
    183 	if [ ! -f /usr/local/sbin/unpriv-ip ]; then
    184 		echo "#!/bin/sh" > /usr/local/sbin/unpriv-ip
    185 		echo "sudo /sbin/ip \$*" >> /usr/local/sbin/unpriv-ip
    186 		chmod 755 /usr/local/sbin/unpriv-ip
    187 	fi
    188 	if [ ! -f /etc/openvpn/openvpn-startup ]; then
    189 		echo "#!/bin/sh" > /etc/openvpn/openvpn-startup
    190 		echo "openvpn --rmtun --dev tun0" >> /etc/openvpn/openvpn-startup
    191 		echo "openvpn --mktun --dev tun0 --dev-type tun --user vpn --group vpn" >> /etc/openvpn/openvpn-startup
    192 		chmod 755 /etc/openvpn/openvpn-startup
    193 	fi
    194 	if [ -d /etc/openvpn/client/riseup ]; then
    195 		rm -r /etc/openvpn/client/riseup
    196 	fi
    197 	mkdir /etc/openvpn/client/riseup
    198 	wget -O /etc/openvpn/client/riseup/ca.pem https://riseup.net/security/network-security/riseup-ca/RiseupCA.pem
    199 	menu_auth
    200 }
    201 
    202 if [ $EUID -ne 0 ]; then
    203 	echo "[!] - This script requires sudo privledges!"
    204 	exit 1
    205 fi
    206 if [ ! -d /etc/openvpn/client/riseup ]; then
    207 	setup
    208 	generate_config
    209 fi
    210 secure_dns
    211 if [ $DISABLE_IPV6 -eq 1 ]; then
    212 	disable_ipv6
    213 fi
    214 openvpn --cd /etc/openvpn/client/riseup --config riseup.conf
    215 if [ $ENABLE_KILLSWITCH -eq 1 ]; then
    216 	killswitch
    217 fi